Key Management

[1] The issue of Key Management is an important consideration when selecting any CA system. To understand the importance of this subject, you must first understand the real difference between the Key-Pair and the Certificate. The Key-Pair is used to provide the authentication and the unique identity of the end user. The Certificate, that is used to sign this Key-Pair, tells you that it is valid and ‘not out of date’. Together the Key-Pair and the Certificate create the ‘package’ that makes up the Digital Certificate [2].

When considering whether you need (or want) Key Management, you should clearly understand the total environment that your Digital Certificates will be used in and, in particular, your end users. This requires that you pay special attention to the following three ‘Top Considerations’ when selecting the correct CA for you:

Three Top Considerations

1. Whether your User Group is Open or Closed

2. The Delivery Method you will use

3. The Storage Type you select

Once these three principles are clearly understood, then you need to understand the long term impact of the Key Management you choose and this is dictated by the Digital Certificate Binding Option (see sub section 3.8.4) that you decide upon. The Digital Certificate Binding Option is the fourth and final Top Considerations when selecting the correct CA for you.

The Fourth Top Consideration

4. Your choice of Certificate Binding Option

What is Key Eskrow

Key Eskrow can be a valuable service for any user that looses their Digital Certificate, or if the Certificate is corrupted for any reason. The user can request a replacement for the lost Keys that were used when their Digital Certificate was generated.

Key Eskrow can be likened to leaving the spare key for your house, with a trusted neighbour so that if anything happens to the original, you know you have a spare. This type of help from your trusted neighbour, could also be referred too as key escrow. Alternatively and using the same analogy, it might be just as good to have a backup key stored elsewhere. The CA equivalent of this is called the Digital Certificate Backup.

Backing up computer data is now understood as a routine responsibility and including the user’s Digital Certificate Backup in this routine is simple.

What is Key Management

Key Management is often mistakenly linked to the Key Eskrow service and should be clearly understood as a separate service that many CAs provide so that users can manage multiple Key-Pairs and Certificates.

Key Management is only necessary when users have multiple Keys and this only occurs when the Disposable Binding Option (see sub section 3.8.4.13.8.4) is chosen. To understand why Key Management is only needed in these certain special cases, you must first understand the x.509 elements that are used when generating the Digital Certificate.

How Digital Certificates are Generated

Understanding the principles of Dual Key Cryptography that were explained in 2.5.4, the Public and Private Key form the Key-Pair that is used to authenticate the user. This Key-Pair is generated using the RSA algorithm and once created, the Certificate signs the Key-Pair with the information that you see when you open the Digital Certificate. This singing procedure inextricably ‘binds’ the specific Key-Pair to the specific Certificate that was used to sign it. This is what makes up the elements of the Digital Certificate.